~ My CCIE Wireless Journey & More…..

EAP Overview

To improve the security of Authentication phase in wireless client connections 802.1X & EAP (Extensible Authentication Protocol) has been introduced into wireless standards. There are 3 key roles in this process. Client, Authentication server & Authenticator (WLC in Unified deployment or AAP in Autonomous deployment)

Usually 802.1x communication happens between Client & Authenticator where as Authenticator to Authentication server it would be RADIUS protocol. EAP defines headers for the typical packets used in an authentication exchange between Client & Authentication Server.

As shown in the above, there are 4 different type of EAP packets exchange between client & server.

With all EAP methods, Open System authentication first takes place with an Authentication Request, Authentication Response, Association Request & Association Response. Once Open System Authentication phase completes, EAP starts.

During authentication, the client & RADIUS server derive a PMK (Pairwise Master Key) for data encryption. This key is unique to each session of a given client. For broadcast & multicast traffic it will use a GTK (Group Transient Key) which is common to all clients.

Out of the 3 EAP methods, EAP-TLS would be the most secured method. Both Client & Authentication Server use certifcates through a PKI (Public Key Infrastructure). Though it is most secure, client certificate management would be a burden. Below show the EAP-TLS packet flow.

In PEAP, supplicant does not have a certificate which reduce the administrative burden of implementing EAP-TLS. PEAP exist in two flavors

Out of the 3 method EAP-FAST is Cisco’s version of implementation. It uses PAC (Protected Access Credential) file instead of certificate. The PAC contain server Authority ID (A-ID), a client encryption/decryption key & a PAC opaque section with encrypted client key. Only EAP-FAST server generate PAC can decrypt PAC Opaque section. There are 3 phases (called 0,1 & 2) of EAP-FAST show in the below (Phase 0 in the first diagram & Phase 1-2 in second diagram).